Validating a DNSSEC installation
Hauke Lampe
list+bindusers at hauke-lampe.de
Fri Jun 12 02:29:11 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Erik Lotspeich wrote:
> I have registered with the ISC's DLV registry. I am
> having trouble finding the best way for me to validate that my setup is
> working and that my zone validates.
dlv.isc.org doesn't list your keys yet. It can take a day or two for DLV
records to appear after your DNSKEY and cookie records have been
checked. If you just added the zone to dlv.isc.org and it still shows a
"pending validation" state, try "request re-check" in the DNSKEY Details
section to force immediate validation.
Once your DLV record shows up, you may query external validating
resolvers and see if they set the AD flag in response. OARC operates
resolvers validating against dlv.isc.org. See their website at:
https://www.dns-oarc.net/oarc/services/odvr
dig +adflag lotspeich.org @149.20.64.20
dig +adflag lotspeich.org @149.20.64.21
A successful validation should look like this:
[...]
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6841
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
[...] ^^
Future reference: Once .org completes their testing phase *and* your
registrar allows you to register DS records for your domain, queries
should also return AD when validated against the ITAR trust anchor
repository (at https://itar.iana.org/):
dig +adflag lotspeich.org @149.20.64.22
I also run a somewhat-public resolver using the dnssec.iks-jena.de DLV
(http://www.iks-jena.de/leistungen/dnssec.php):
dig +adflag lotspeich.org @85.10.240.255
Hauke.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoxvWsACgkQKIgAG9lfHFPMNgCffasC89jnBB6T2erBR1IN0YLG
O04An27s6qOg9WeW7l8ck6o6E/vmr31F
=gE/Q
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list